问题
I am looking for a comprehensive record of secure coding practices in C++. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..
NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.
LE: As suggested by MSalters in comments this question has been split into two separate questions one for C++ and one for C. Also see Secure C coding practices.
回答1:
The book Writing Secure Code is very good at explaining security issues and how to avoid them. The book has been out for a while, but most of the topics covered are still relevant.
回答2:
Herb Sutter "Exceptional C++" and "C++ Coding Standards". Invaluable.
Marshall Cline C++ faq. Will tell you everything about common pitfalls. Free online.
回答3:
I found this book very useful Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
It has a lot of examples for both Linux (posix) and Windows unlike the previous mentioned Writing Secure Code, Second Edition.
回答4:
The Joint Strike Fighter Air Vehicle C++ Coding Standards is a good start, even though it does apply mostly to reliability rather than security.
回答5:
The SEI CERT C++ Coding Standard is especially developed to cover all kind of security issues. CERT stands for Computer Emergency Response Team, which is an expert group that handles computer security incidents.
回答6:
Let me kick it off
- Avoid dynamically allocated memory using malloc
- (related) use fixed size array when ever possible, or infact in C++ avoid C style arrays when practical
- avoid the use of
(void *)
来源:https://stackoverflow.com/questions/4780410/secure-c-coding-practices